In 3GPP (3rd Generation Partnership Project), there have been discussions related to handover security.
There have been approaches directed to:
performing AKA (authentication and key agreement) immediately after a handover to E-UTRAN, and subsequently performing a key change on-the-fly (discussed e.g. in the 3GPP SA3 (system architecture 3));
using of a key hierarchy also for an update of e.g. the UTRAN/GERAN side (to be described herein below); and
a partial solution for key caching for E-UTRAN, which has been mentioned in 3GPP SA3.
However, in view of the above, in case CK and IK keys used e.g. on the UTRAN/GERAN side are compromised (such as an attacker getting the CK/IK keys from an RNC (radio network controller), a home Node B, or a HSPA base station) and handover to E-UTRAN occurs, there resides a problem in that the E-UTRAN keys will be compromised as well, as they are based on the transferred CK/IK e.g. from UTRAN/GERAN side to the E-UTRAN.
In consideration of the above, it is an object of the present invention to overcome one or more of the above drawbacks. In particular, the present invention provides methods, apparatuses, a system and related computer program products for handover security.
According to the present invention, in a first aspect, this object is for example achieved by a method comprising:
receiving, prior to a handover operation, first key indication information;
creating, prior to the handover operation, key information based on the received first key indication information;
retaining the created key information,
sending, after the handover operation, the received first key indication information associated with the key information created prior to the handover operation; and
retrieving, after the handover operation, the retained key information based on the first key indication information.
According to further refinements of the invention as defined under the above first aspect,
the method further comprises sending a response indicative of the successful creating;
the handover operation is performed between a first network entity and a second network entity;
at least one of the receiving prior to the handover operation and the creating is a portion of a challenge/response protocol;
the challenge/response protocol is constituted by at least one of an authentication and key agreement protocol and an extensible authentication protocol;
the retaining comprises dispensing with a security mode command;
the key information comprises at least one of a ciphering key and an integrity key;
the first key identification information comprises a key set identifier.
According to the present invention, in a second aspect, this object is for example achieved by a method comprising:
generating, prior to a handover operation, first key indication information associated with key information intended to be created;
sending, prior to the handover operation, the generated first key indication information; and
receiving, after the handover operation, second key indication information corresponding to the generated first key indication information.
According to further refinements of the invention as defined under the above second aspect,
the method further comprises receiving a response indicative of the successful creating;
the handover operation is performed between a first network entity and a second network entity;
at least one of the generating and the sending is a portion of a challenge/response protocol;
the challenge/response protocol is constituted by at least one of an authentication and key agreement protocol and an extensible authentication protocol;
the receiving after the handover operation comprises a security context transfer;
at least one of the first and second key identification information comprises a key set identifier.
According to the present invention, in a third aspect, this object is for example achieved by an apparatus comprising:
a receiver configured to receive, prior to a handover operation, first key indication information;
a creator configured to create, prior to the handover operation, the first key information based on the key indication information received by the receiver;
a retainer configured to retain the key information created by the creator;
a sender configured to send, after the handover operation, the first key indication information received by the receiver and associated with the key information created by the creator prior to the handover operation; and
a retriever configured to retrieve, after the handover operation, the key information retained by the retainer based on the first key indication information.
According to further refinements of the invention as defined under the above third aspect,
the sender is configured to send a response indicative of a successful creating of the first key information;
the handover operation is performed between a first network entity and a second network entity;
at least one of the receiver and the creator is configured to perform at least a portion of a challenge/response protocol;
the challenge/response protocol is constituted by at least one of an authentication and key agreement protocol and an extensible authentication protocol;
the retainer is further configured to dispense with a security mode command;
the key information comprises at least one of a ciphering key and an integrity key;
the first key identification information comprises a key set identifier;
the apparatus is a user equipment;
the apparatus is compliant to at least one of a universal mobile telecommunications system terrestrial radio access network, a global system for mobile communication enhanced data rates for global evolution radio access network and an evolved universal mobile telecommunications system terrestrial radio access network.
According to the present invention, in a fourth aspect, this object is for example achieved by an apparatus comprising:
a generator configured to generate, prior to a handover operation, first key indication information associated with key information intended to be created;
a sender configured to send, prior to the handover operation, the first key indication information generated by the generator; and
a receiver configured to receive, after the handover operation, second key indication information corresponding to the first key indication information generated by the generator.
According to further refinements of the invention as defined under the above fourth aspect,
the receiver is configured to receive a response indicative of a successful creating of the first key information;
the handover operation is performed between a first network entity and a second network entity;
at least one of the generator and the sender is configured to perform a portion of a challenge/response protocol;
the challenge/response protocol is constituted by at least one of an authentication and key agreement protocol and an extensible authentication protocol;
the receiver is further configured to receive based on a security context transfer;
at least one of the first and second key identification information comprises a key set identifier;
the apparatus is constituted by at least one of a serving general packet radio service support node and a mobility management entity.
According to the present invention, in a fifth aspect, this object is for example achieved by an apparatus comprising:
means for receiving, prior to a handover operation, first key indication information;
means for creating, prior to the handover operation, key information based on the first key indication information received by the means for receiving;
means for retaining the key information created by the means for creating;
means for sending, after the handover operation, the first key indication information received by the means for receiving and associated with the key information created by the means for creating prior to the handover operation; and
means for retrieving, after the handover operation, the key information retained by the means for retaining based on the first key indication information.
According to the present invention, in a sixth aspect, this object is for example achieved by an apparatus comprising:
means for generating, prior to a handover operation, first key indication information associated with key information intended to be created;
means for sending, prior to the handover operation, the first key indication information generated by the means for generating; and
means for receiving, after the handover operation, second key indication information corresponding to the key indication information generated by the means for generating.
According to further refinements of the invention as defined under the above third to sixth aspects,
the apparatus is implemented as a chipset or module.
According to the present invention, in a seventh aspect, this object is for example achieved by a system comprising at least one of:
an apparatus according to the third aspect; and
an apparatus according to the fourth aspect; and
an apparatus according to the fifth aspect; and
an apparatus according to the sixth aspect.
According to the present invention, in an eighth aspect, this object is for example achieved by a computer program product comprising code means configured to carry out a method comprising:
receiving, prior to a handover operation, first key indication information;
creating, prior to the handover operation, key information based on the received first key indication information;
retaining the created key information;
sending, after the handover operation, the received first key indication information associated with the key information created prior to the handover operation; and
retrieving, after the handover operation, the retained key information based on the first key indication information.
According to further refinements of the invention as defined under the above eighth aspect,
the computer program product is embodied on a computer-readable medium.
According to the present invention, in a ninth aspect, this object is for example achieved by a computer program product comprising code means configured to carry out a method comprising:
generating, prior to a handover operation, first key indication information associated with key information intended to be created;
sending, prior to the handover operation, the generated first key indication information; and
receiving, after the handover operation, second key indication information corresponding to the generated first key indication information.
According to further refinements of the invention as defined under the above ninth aspect,
the computer program product is embodied on a computer-readable medium.
In this connection, it has to be pointed out that the present invention enables one or more of the following:
Portability of keys e.g. into the E-UTRAN side.
Independency from a release version e.g. of the SGSN (serving GPRS (general packet radio service) support node) involved.
Independency from a release version of the UE (user equipment), since the AKA may be performed without the SMC (security mode command).
Enabling detection of the release version of the UE (e.g. if handover to E-UTRAN is possible for the UE, UE is Release 8 or newer).
Efficient usage of the KSI (key set identifier) in order to identify keys also on the E-UTRAN side (e.g. if the KSI points to the previous (so called “old”) CK and IK used on the UTRAN/GERAN side or to the new keys based on the AKA without respective SMC procedure).
Integrity protection e.g. of the first message to the E-UTRAN (e.g. service request or initial L3 (level 3) message or RRC (radio resource control) connection request, etc.), since with cached and transferred keys (handover from UTRAN/GERAN to E-UTRAN), the UE can sign e.g. the first message to the E-UTRAN.
Faster detach-to-attach transition due to security context caching, especially in handovers back to the E-UTRAN independently of the source RAT (radio access technology).
Enabling failure recovery e.g. in case radio connection to the source RAT was lost (i.e. security context caching in E-UTRAN does not require any information from other RATS).